b"The Inspector General\nNational Archives and Records Administration\n\n\n                                      INDEPENDENT AUDITOR\xe2\x80\x99S REPORT\n\n\nWe have audited the accompanying consolidated balance sheet of the National Archives and Records\nAdministration (NARA) as of September 30, 2010 and 2009, and the related Statements of Net Cost,\nChanges in Net Position, and Budgetary Resources for the years then ended. These financial statements\nare the responsibility of NARA management. Our responsibility is to express an opinion on the financial\nstatements based on our audits.\n\nWe conducted our audits in accordance with auditing standards generally accepted in the United States\nof America; standards applicable to financial statement audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and Office of Management and\nBudget (OMB) audit guidance. Those standards require that we plan and perform the audit to obtain\nreasonable assurance about whether the financial statements are free of material misstatement. An\naudit includes examining, on a test basis, evidence supporting the amounts and disclosures in the\nfinancial statements. An audit also includes assessing the accounting principles used and significant\nestimates made by management, as well as evaluating the overall financial statements\xe2\x80\x99 presentation.\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn our opinion, the financial statements referred to above, present fairly, in all material respects, the\nfinancial position of NARA as of September 30, 2010 and 2009, and its net cost, changes in net position,\nand budgetary resources for the year then ended, in conformity with accounting principles generally\naccepted in the United States of America.\n\nIn accordance with Government Auditing Standards, we have also issued our reports dated November\n12, 2010, on our consideration of NARA\xe2\x80\x99s internal control over financial reporting, and on our tests of\nNARA\xe2\x80\x99s compliance with certain provisions of laws and regulations and other matters. The purpose of\nthose reports is to describe the scope of our testing on internal control over financial reporting and\ncompliance, and the results of that testing, and not to provide an opinion on the internal control over\nfinancial reporting or on compliance. Those reports are an integral part of an audit performed in\naccordance with Government Auditing Standards and should be read in conjunction with this report, in\nconsidering the results of our audits.\n\nThe information in the Management Discussion and Analysis and Required Supplementary Information\nsections is not a required part of the consolidated financial statements, but is supplementary\ninformation required by accounting principles generally accepted in the United States of America. We\nhave applied certain limited procedures, which consisted principally of inquiries of management\nregarding methods of measurement and presentation of this information. We did not, however, audit\nthis information and, accordingly, we express no opinion on it.\n\x0cOur audits were conducted for the purpose of forming an opinion on the consolidated financial\nstatements taken as a whole. The information in the Message from the Archivist, Performance Section,\nand Other Accompanying Information is presented for purposes of additional analysis and is not\nrequired as part of the consolidated financial statements. This information has not been subjected to\nauditing procedures and, accordingly, we express no opinion on it.\n\n\nCOTTON & COMPANY LLP\n\nColette Y. Wilson\nPartner\n\n\n\n\nAlexandria, Virginia\nNovember 12, 2010\n\x0cThe Inspector General\nNational Archives and Records Administration\n\n\n                            INDEPENDENT AUDITOR\xe2\x80\x99S REPORT ON INTERNAL CONTROL\n\nWe have audited the financial statements of the National Archives and Records Administration (NARA)\nas of September 30, 2010 and 2009, and have issued our report thereon dated November 12, 2010. We\nconducted our audits in accordance with auditing standards generally accepted in the United States of\nAmerica; standards applicable to financial audits contained in Government Auditing Standards, issued by\nthe Comptroller General of the United States; and Office of Management and Budget (OMB) audit\nguidance.\n\nIn planning and performing our audits of NARA\xe2\x80\x99s financial statements as of and for the year ended\nSeptember 30, 2010 and 2009, in accordance with auditing standards generally accepted in the United\nStates of America, we considered NARA\xe2\x80\x99s internal control over financial reporting (internal control) as a\nbasis for designing our auditing procedures for the purpose of expressing our opinion on the financial\nstatements, but not for the purpose of expressing an opinion on the effectiveness of NARA\xe2\x80\x99s internal\ncontrol. Accordingly, we do not express an opinion on the effectiveness of NARA\xe2\x80\x99s internal control.\n\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\ndetect and correct misstatements on a timely basis. A material weakness is a deficiency, or combination\nof deficiencies, in internal control, such that there is a reasonable possibility that a material\nmisstatement of an entity's financial statements will not be prevented, or detected and corrected on a\ntimely basis.\n\nOur consideration of internal control was for the limited purpose described in the second paragraph and\nwas not designed to identify all deficiencies in internal control that might be deficiencies, significant\ndeficiencies, or material weaknesses. We did not identify any deficiencies in internal control that we\nconsider to be material weaknesses, as defined above. However, we identified certain deficiencies in\ninternal control that we consider to be a significant deficiency. A significant deficiency is a deficiency, or\na combination of deficiencies, in internal control that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance.\n\n\n\n\n                                                      1\n\x0cINFORMATION TECHNOLOGY\n\nDuring Fiscal Year (FY) 2010, NARA continued to make improvements in its information technology (IT)\ncontrol environment by addressing recommendations made in previous audits. Improvements are still\nneeded in the IT control areas of access controls and configuration management, as noted below and in\nAppendix A to this report.\n\nIn addition, contingency planning and security management issues identified in prior years also remain\nopen. Deficiencies identified during the FY 2010 financial statement audit are discussed below. These\nissues, combined with open recommendations from the prior-year financial statement audit (see\nAppendix A), collectively represent a significant deficiency in internal control over financial reporting.\n\nAccess Controls\n\nAccess controls provide reasonable assurance that access to computer resources is reasonable and\nrestricted to authorized individuals. NARA\xe2\x80\x99s procedures for creating, identifying and authenticating, and\nproviding accountability over NARANet accounts did not ensure that all accounts were properly\nauthorized. Specific issues identified during testing are discussed below.\n\nAccount Creation. NARA has not implemented sufficient account creation controls to ensure that all\nnew NARANet accounts are requested and authorized by a user\xe2\x80\x99s supervisor, or that the help desk\nticket/access form process is properly followed. In our tested sample of new accounts, we noted the\nfollowing issues:\n\n    \xe2\x80\xa2   Proper documentation did not exist to support the creation of the account\n\n    \xe2\x80\xa2   Accounts were created without first obtaining adequate supervisory approval\n\n    \xe2\x80\xa2   Accounts were initiated by the end-user\n\nNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 3:\nRecommended Security Controls for Federal Information Systems and Organizations, requires the\nfollowing:\n\n        AC-2 ACCOUNT MANAGEMENT\n\n        The organization manages information system accounts, including:\n\n        a. Identifying account types (i.e., individual, group, system, application, guest/anonymous, and\n           temporary);\n        b. Establishing conditions for group membership;\n        c. Identifying authorized users of the information system and specifying access privileges;\n        d. Requiring appropriate approvals for requests to establish accounts;\xe2\x80\xa6\n        i. Granting access to the system based on: (i) a valid access authorization; (ii) intended system\n           usage; and (iii) other attributes as required by the organization or associated\n           missions/business functions; and\n        j. Reviewing accounts [Assignment: organization-defined frequency].\n\n\n                                                     2\n\x0cWithout effective account creation/authorization controls in place, NARA cannot ensure that current\nemployees are not requesting unapproved and unauthorized access, potentially making them\nunauthorized members of groups that can access files and spreadsheets stored on financial share drives.\nNARA does require a badge to obtain a network account, which serves as a compensating control to\nensure this weakness cannot be exploited by an individual who does not already have access to NARA\nfacilities.\n\nRecommendation 1. We recommend that the NARA Chief Information Officer (CIO) require a record of\nlogged-in users creating account requests to show that request are being generated by a supervisor, not\nthe user.\n\nIdentification and Authentication. Identification and Authentication controls provide reasonable\nassurance that individual users are uniquely identified and authenticated for all accesses other than\nthose explicitly identified and documented by an organization. To properly address this requirement,\nthe unique identification of individuals with access to group accounts (e.g., shared privilege accounts)\nmust be considered for detailed accountability of activity.\n\nNARA has not implemented sufficient Identification and Authentication controls to ensure that the\nOrder Fulfillment and Accounting System (OFAS) application uniquely identifies all application users. We\nidentified a shared domain administrator account within OFAS that is used as an OFAS support team\ngroup account with a shared password to perform activities in the OFAS application.\n\nNIST SP 800-53, Revision 3, requires the following:\n\n        IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)\n\n        The information system uniquely identifies and authenticates organizational users (or\n        processes acting on behalf of organizational users).\n\n        Supplemental Guidance: Organizational users include organizational employees or\n        individuals the organization deems to have equivalent status of employees (e.g.,\n        contractors, guest researchers, individuals from allied nations). Users are uniquely\n        identified and authenticated for all accesses other than those accesses explicitly\n        identified and documented by the organization in AC-14. Unique identification of\n        individuals in group accounts (e.g., shared privilege accounts) may need to be considered\n        for detailed accountability of activity.\n\nWithout the ability to uniquely identify and authenticate individual users of the shared Domain Admin\naccount, accountability for activities and events performed by the account cannot be established.\n\nRecommendation 2. We recommend that the NARA CIO assign one individual to the shared account, or\nsplit responsibilities of the shared account to additional administrator accounts, to allow accountability\nof administrator activities to be established.\n\nAudit and Accountability. Audit and Accountability controls provide reasonable assurance that an\norganization is complying with required industry standards, as well as its own policies and procedures.\nNARA has not implemented sufficient audit and accountability controls over audit settings and logging\nand monitoring, as described below.\n\n                                                      3\n\x0c    \xe2\x80\xa2   Audit Settings. Audit Settings within an information system define what events or activities\n        generate an audit log and what information about the event is recorded is included in the log.\n        During the audit, we noted that NARANet\xe2\x80\x99s audit settings were not configured to log group\n        membership add and delete activities.\n\n    \xe2\x80\xa2   Logging and Monitoring. Logging and Monitoring is the process an organization follows to track,\n        review, and escalate (if necessary) the events captured in audit logs generated by the\n        system/OS/network/application. During the audit, we noted that NARA\xe2\x80\x99s Audit and\n        Accountability Methodology is not being enforced or followed. General Support System (GSS)\n        and application-specific issues noted during testing are discussed below:\n\n        \xe2\x88\x92   OFAS. Controls were not adequate to ensure that the OFAS application was configured to\n            log all required auditable events (per NARA IT Security Methodology for Audit and\n            Accountability) and that procedures were implemented to appropriately review these logs\n            on a regular basis. OFAS was reconfigured on September 29, 2010, to begin to log account\n            creations, deletions, and modifications. Before this, settings were not in place, and there is\n            still no formal process for reviewing the logs periodically.\n\n        \xe2\x88\x92   NARANet. NARA personnel reviewed network activity logs on an as-needed basis, but not\n            routinely and periodically. Management is currently working to address this by\n            implementing a log consolidation and monitoring tool, Netforensics.\n\n        \xe2\x88\x92   RCPBS. Controls were not adequate to ensure that the Records Center Program Billing\n            System (RCPBS) application was configured to log all required auditable events (per NARA IT\n            Security Methodology for Audit and Accountability) and that procedures were implemented\n            to appropriately review these logs on a regular basis. We found no evidence to show that\n            RCPBS is configured to log all required events, or that standard log monitoring procedures\n            were established and are being performed.\n\nNIST SP 800-53, Revision 3, requires the following:\n\n        AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING\n\n        The organization:\n\n        a. Reviews and analyzes information system audit records [Assignment: organization-defined\n           frequency] for indications of inappropriate or unusual activity, and reports findings to\n           designated organizational officials; and\n\n        b. Adjusts the level of audit review, analysis, and reporting within the information system when\n           there is a change in risk to organizational operations, organizational assets, individuals,\n           other organizations, or the Nation based on law enforcement information, intelligence\n           information, or other credible sources of information.\n\nAdditionally, NARA IT Security Methodology for Audit and Accountability, dated July 15, 2009, requires\nthe following:\n\n\n                                                      4\n\x0c       2 AUDITABLE EVENTS [AU-2]\n\n       This section describes how NARA meets the NARA IT Security Architecture control [AU-2] for\n       Auditable Events.\n\n       NARA\xe2\x80\x99s security policy for Auditable Events is as follows:\n\n       NARA Office of IT Services (NH) develops, disseminates, and at least annually reviews and\n       updates a formal, documented audit and accountability policy that addresses purpose, scope,\n       roles, responsibilities, management commitment, coordination among NARA entities, and\n       compliance; and formal, documented procedures to facilitate the implementation of the audit\n       and accountability policy and associated audit and accountability controls.\n\n       NARA\xe2\x80\x99s security requirements for Auditable Events are as follows:\n\n       [AU-2.1] Each information system generates audit records for the following events:\n\n                   \xe2\x80\xa2   Startup and shutdown\n                   \xe2\x80\xa2   Account Creation\n                   \xe2\x80\xa2   Authentication\n                   \xe2\x80\xa2   Authorization and Permission granting/changing\n                   \xe2\x80\xa2   Actions by trusted users\n                   \xe2\x80\xa2   Password changes for privileged users\n                   \xe2\x80\xa2   Unsuccessful login attempts\n\n       [AU-2.2] NH shall identify important events which need to be audited as significant and relevant\n       to the security of each information system. System Owner shall identify any additional specific\n       events relevant to the system\xe2\x80\x99s sensitivity level. Audit records shall be generated at various levels\n       of abstraction, including at the packet level as information traverse the network. System Owner\n       shall specify in the SSP which information system components carry out auditing activities. The\n       security audit function shall coordinate with the network health and status monitoring function\n       to enhance the mutual support between the two functions by the selection of information to be\n       recorded by each function.\n\nWithout appropriately configured audit settings and an effective logging and monitoring process,\nmanagement cannot ensure that only appropriate accesses and activities are taking place.\n\nRecommendation 3. We recommend that the NARA CIO:\n\n   \xe2\x80\xa2   Reconfigure audit settings within the NARANet Novell environment to log group membership\n       add and delete activities.\n\n   \xe2\x80\xa2   Continue with the implementation of Netforensic and, once in place, ensure that procedures\n       exist for identifying key events that will be alerted to and reviewed by management on a\n       periodic basis.\n\n   \xe2\x80\xa2   Continue with efforts to audit account creations, deletions, and modifications within OFAS and\n       develop standard procedures for regularly reviewing and monitoring application audit logs.\n                                                    5\n\x0c    \xe2\x80\xa2   Enable logging of all events within RCPBS, required by NARA IT Security Methodology for Audit\n        and Accountability, and develop standard procedures for regularly reviewing and monitoring\n        application activity logs.\n\nConfiguration Management\n\nConfiguration Management controls provide reasonable assurance that changes to an organization\xe2\x80\x99s IT\ninfrastructure, hardware, or software are properly managed and tracked, and that baseline\nconfigurations are defined and configured within the production environment. During testing, we\nidentified issues with NARA\xe2\x80\x99s baseline configuration practices. They are discussed below.\n\nConfiguration baselines provide current specifications for how an information system/network device,\napplication, hardware, and software are built. Additionally, baselines provide individuals with\nconfiguration management responsibilities within the organization, a benchmark to compare against\nactual configurations.\n\nNARA has developed configuration instructions and has a beginning baseline for configuration for\nswitches. Configuration instructions or baselines are not, however, in place for NARA\xe2\x80\x99s routers and\nfirewalls. The current baseline is not based on and does not address all areas in approved checklists for\nrouter and firewall platforms and devices in use contained in NIST SP 800-70, National Checklist Program\nfor IT Products \xe2\x80\x93 Guidelines for Checklist Users and Developers.\n\nNIST SP 800-53, Revision 3, requires the following:\n\n        CM-6 CONFIGURATION SETTINGS\n\n        The organization:\n        a. Establishes and documents mandatory configuration settings for information technology\n            products employed within the information system using [Assignment: organization-defined\n            security configuration checklists] that reflect the most restrictive mode consistent with\n            operational requirements;\n        b. Implements the configuration settings;\n        c. Identifies, documents, and approves exceptions from the mandatory configuration settings\n            for individual components within the information system based on explicit operational\n            requirements; and\n        d. Monitors and controls changes to the configuration settings in accordance with\n            organizational policies and procedures.\n\nAdditionally, NARA IT Security Methodology for Configuration Management, dated January 13, 2010,\nrequires the following:\n\n        6 Configuration Settings [CM-6]\n\n        This section describes how NARA meets the NARA IT Security Architecture control [CM-6] for\n        Configuration Settings.\n\n        NARA\xe2\x80\x99s security policy for Configuration Settings is as follows:\n\n                                                      6\n\x0c        NARA Office of Information Services (NH) establishes mandatory configuration settings for\n        information technology products employed within the information system, configures the\n        security settings of information technology products to the most restrictive mode consistent with\n        operational requirements, documents the configuration settings, and enforces the configuration\n        settings in all components of the information system.\n\n        NARA\xe2\x80\x99s security requirements for Configuration Settings are as follows:\n        [CM-6.1] NH shall establish mandatory configuration settings for information technology\n        products employed within the information system, configure the default security settings of\n        information technology products to the most restrictive mode consistent with operational\n        requirements, document the configuration settings, and enforce the configuration settings in all\n        components of the information system.\n\n        [CM-6.2] NH shall monitor and control changes to the configuration settings in accordance with\n        NARA policies and procedures.\n\n        [CM-6.3] NIST SP 800-70 shall be used for guidance on producing and using configuration\n        settings (i.e., checklists) for information technology products employed in NARA information\n        systems.\n\n        [CM-6.4] For high integrity information systems, NARA shall employ mechanisms to centrally\n        manage, apply and verify configuration settings.\n\nThe absence of documented full configuration baselines increases the risk that: unauthorized access\nmay occur, security weaknesses could exist within the NARANet architecture and not be detected by\nmanagement in a timely manner, and computing resources are not in compliance with established\nbaselines.\n\nRecommendation 4. We recommend that the NARA CIO improve upon NARA\xe2\x80\x99s current router and\nfirewall build process by updating their standard configuration file to be based on NIST-approved\nsecurity checklists for router and firewall platforms and devices in use by NARA. We also recommend\nthat the final standard configuration be documented and compared against devices to monitor for\nconfiguration compliance on a periodic basis.\n\nSTATUS OF PRIOR-YEAR RECOMMENDATIONS\n\nWe reviewed the status of NARA\xe2\x80\x99s corrective actions with respect to the significant deficiencies from the\nprior-year report on internal control. Appendix A to this report provides details of the status of\nrecommendations.\n\nNARA\xe2\x80\x99s management response to the significant deficiency identified in our report is included as\nAppendix B to this report. We did not audit NARA\xe2\x80\x99s response and, accordingly, we provide no opinion on\nit.\n\nIn addition to the significant deficiency described above, we noted certain matters involving internal\ncontrol and its operation that will be reported to NARA management in a separate letter.\n\n\n\n                                                    7\n\x0cThis report is intended solely for the information and use of management of NARA, NARA Office of\nInspector General, Government Accountability Office, OMB, and Congress, and is not intended to be and\nshould not be used by anyone other than those specified parties.\n\nCOTTON & COMPANY LLP\n\n\n\nColette Y. Wilson, CPA\nPartner\n\nAlexandria, Virginia\nNovember 12, 2010\n\n\n\n\n                                                 8\n\x0c                 APPENDIX A\nNATIONAL ARCHIVES AND RECORDS ADMINISTRATION\n   STATUS OF PRIOR-YEAR RECOMMENDATIONS\n             SEPTEMBER 30, 2010\n\x0c                                               APPENDIX A\n                              NATIONAL ARCHIVES AND RECORDS ADMINISTRATION\n                                 STATUS OF PRIOR-YEAR RECOMMENDATIONS\n                                           SEPTEMBER 30, 2010\n\nCondition/Audit Area and Recommendations                           Status as of September 30, 2010\nPersonal Property\n1. Finalize and implement its personal property policies                         Closed\n    and procedures manual during the first quarter of FY\n    2010.\n2. Provide personal property-related training to NARA                            Closed\n   employees.\n3. Design and implement monitoring procedures to                                 Closed\n   ensure NARA employees adhere to personal property-\n   related policies and procedures.\n4. Design and implement procedures to ensure the                                 Closed\n   accountability of assets in the custody of contractors.\n5. Continue to implement personal property accounting            Open, however no longer a significant\n   functionality within the Maximo system, and in doing      deficiency. This deficiency will be reported to\n   so, ensure that the application has adequate                    management in a separate report.\n   functionality to meet the requirements articulated by\n   the Joint Financial Management Improvement\n   Program (JFMIP) in its document titled, Property\n   Management Systems Requirements.\n6. Perform a risk assessment to determine if it has                              Closed\n   sufficient procedures in place to mitigate risks posed\n   by the manual processes used to account for personal\n   property transactions.\n7. Design and implement controls, as necessary, to                               Closed\n   address significant risks identified during the risk\n   assessment.\nAccess Controls\n8. Implement a process for managing NARANET accounts                      Partially Open\n   that:                                                   (Termed users are not having access removed\n                                                           in a timely manner. Generic accounts are not\n    a) Requires a recertification of all system accounts   catalogued and assigned ownership to an\n        at least annually.                                 individual.)\n    b) Ensures all accounts are tied to a specific\n        individual who has the responsibility for\n        managing the account, and determining the\n        ongoing need for non-login accounts.\n    c) Identifies inactive accounts on a regular basis and\n        removes access in a timely manner.\n    d) Ensures all access and privileges of terminated\n        employees are promptly removed.\n9. Implement a more restrictive password age control                          Closed\n   for NARANET that is consistent with requirements for\n   Federal information systems.\n\x0cCondition/Audit Area and Recommendations                       Status as of September 30, 2010\n10. Implement a process for managing RCPBS accounts\n    that:\n     a) Requires a recertification of all system accounts                  Open\n         at least annually.\n     b) Identifies inactive accounts on a regular basis and                Closed\n         removes or disables access in a timely manner.\n\n       c) Implements a more restrictive password age                       Open\n           control that is consistent with requirements for\n           federal information systems.\n11.   Implement compensating logging and monitoring                        Closed\n      controls for PPMS to ensure that the risk of\n      unauthorized access is mitigated.\n12.   Enforce its current policies and procedures used to                  Closed\n      manage systems and accounts to ensure all access                (see 8 d), above)\n      and privileges of terminated employees are promptly\n      removed.\n13.   Ensure that supervisors receive training in their exit               Open\n      clearance process responsibilities, including alerting\n      applicable personnel when employees and\n      contractors under their supervision no longer require\n      access.\n14.   Continue effort to finalize the contract with the                    Closed\n      independent contractor to provide an assessment of\n      NARA\xe2\x80\x99s incident response program, provide targeted\n      training to NARA personnel involved with incident\n      response, and to conduct simulated exercises.\n15.   Develop and implement policies and procedures that                   Open\n      prohibit RCPBS users from having multiple accounts as\n      well as the ability to enter and approve their own\n      transactions.\nContingency Planning\n16. Fully implement a contingency planning policy                          Closed\n    consistent with guidance provided in NIST SP 800-34,\n    Contingency Planning Guide for Information\n    Technology Systems. The policy should include\n    requirements for updating the contingency plan to\n    reflect current operating conditions.\n17. Update the contingency and disaster recovery plans                     Closed\n    for OFAS to reflect current operating conditions.\n18. Update the contingency and disaster recovery plans                     Open\n    for RCPBS to reflect current operating conditions.\nSecurity Management\n19. Complete risk assessments for all NARNET                               Open\n    components.\n20. Finalize and approve security plans for all NARANET                    Open\n    components.\n\x0cCondition/Audit Area and Recommendations                   Status as of September 30, 2010\n21. Certify each NARANET component, then certify and                     Open\n    accredit the entire NARANET general support system.\n22. Implement policies and procedures which require the                Open\n    completion of security and awareness training before\n    being granted access to NARA information systems.\n\x0c     APPENDIX B\nMANAGEMENT COMMENTS\n\x0c\x0cThe Inspector General\nNational Archives and Records Administration\n\n\n                       INDEPENDENT AUDITOR\xe2\x80\x99S REPORT ON COMPLIANCE AND OTHER MATTERS\n\n\nWe have audited the financial statements of the National Archives and Records Administration (NARA)\nas of, and for the year ended September 30, 2010 and 2009, and have issued our report thereon dated\nNovember 12, 2010. We conducted our audits in accordance with auditing standards generally accepted\nin the United States of America; standards applicable to financial audits contained in Government\nAuditing Standards, issued by the Comptroller General of the United States; and Office of Management\nand Budget (OMB) audit guidance.\n\nNARA\xe2\x80\x99s management is responsible for complying with laws and regulations applicable to NARA. As part\nof obtaining reasonable assurance about whether NARA\xe2\x80\x99s financial statements are free of material\nmisstatements, we performed tests of NARA\xe2\x80\x99s compliance with certain provisions of laws and\nregulations that have a direct and material effect on the financial statements. We did not test\ncompliance with all laws and regulations applicable to NARA. We limited our tests of compliance to\nthose provisions of laws and regulations required by OMB audit guidance that we deemed applicable to\nthe financial statements for the fiscal year ended September 30, 2010. We caution that noncompliance\nmay have occurred and may not have been detected by these tests, and that such testing may not be\nsufficient for other purposes.\n\nThe results of our tests of compliance with laws and regulations described in the preceding paragraph\ndisclosed no instances of material noncompliance that are required to be reported under Government\nAuditing Standards and OMB audit guidance. Providing an opinion on compliance with certain provisions\nof laws and regulations was not, however, an objective of our audit, and, accordingly we do not express\nsuch an opinion.\n\nThis report is intended solely for the information and use of management of NARA, NARA Office of\nInspector General, the Government Accountability Office, OMB, and Congress, and is not intended to be\nand should not be used by anyone other than those specified parties.\n\nCOTTON & COMPANY LLP\n\nColette Y. Wilson\nPartner\n\n\n\nAlexandria, Virginia\nNovember 12, 2010\n\x0c"